Authentication in an IP multimedia subsystem network where an in-use line identifier (LID) does not match a registered LID

ABSTRACT

A method and telecommunication node for authenticating with an IP Multimedia Subsystem (IMS) network, a nomadic user in an access network. The node receives from the access network, an access identifier defining a mobile terminal&#39;s physical location. In response, the node retrieves from a database, a registered access identifier associated with the user and determines whether the received identifier matches the registered identifier. If the identifiers match, the node authenticates the user in the IMS network. If the identifiers do not match, the node performs an alternate authentication method.

TECHNICAL FIELD

The invention relates to the field of authentication of a user in acommunications network.

BACKGROUND

IP Multimedia (IPMM) is an example of a service that provides a dynamiccombination of voice, video, messaging, data, etc, within the samesession. By growing the numbers of basic applications and the media thatit is possible to combine, the number of services offered to the endusers will grow, and the inter-personal communication experience will beenriched. This will lead to a new generation of personalised, richmultimedia communication services, e.g. peer-to-peer multimediacommunication, IPTV etc.

These services can be based on the IP Multimedia Subsystem (IMS)architecture, which is the technology defined by the Third GenerationPartnership Project (3GPP) to provide IP Multimedia services over mobilecommunication networks (3GPP TS 22.228, TS 23.228, TS 24.229, TS 29.228,TS 29.229, TS 29.328 and TS 29.329 Releases 5 to 7).

The IMS makes use of the Session Initiation Protocol (SIP) to set up andcontrol calls or sessions between user terminals (or user terminals andapplication servers). The Session Description Protocol (SDP), carried bySIP signalling, is used to describe and negotiate the media componentsof the session. FIG. 1 illustrates schematically how the IMS fits intothe mobile network architecture in the case of a 3GPP PS access domain.

When a user wishes to access any network from a fixed line, the user mayfirst be authenticated in an access network using a Network AttachmentSub-System (NASS) (ETSI TS 282 004 v1.1.1). The NASS allocates an IPaddress to the fixed line in use, and authenticates and authorises theuser. The NASS can also be used to configure preferences in the accessnetwork, depending on a user profile stored by the NASS.

When authenticating the end user in the access network, the user'sterminal sends an in-use Line Identifier (LID) associated with the fixedline that the terminal is using to access the network. The LID isforwarded to a NASS entity called a Connectivity Session Location andRepository Functions (CLF). The CLF then associates the user's LID withthe user's assigned IP address.

For users accessing an IMS network from a fixed line, ETSI TS 183 033TISPAN defines a method of authentication for IMS users. This method isknown as NASS-IMS bundled (NAB). The NAB method allows the IMS layer tore-use existing Network Attachment Sub-System (NASS) authenticationstatus, as illustrated in FIG. 2. The IMS network performs a Line IDcheck, and if it is successful then the TISPAN IMS network trusts theaccess network authentication status and marks the user asauthenticated.

In more detail, upon IMS-SIP registration, a Proxy-Call Session ControlFunction (P-CSCF) in the IMS network queries the CLF in the accessnetwork to retrieve the in-use LID and the IP address assigned to thein-use line. The P-CSCF uses the retrieved IP address in the SIPRegister as a query key. The in-use LID is inserted into a SIP Registermessage using the P-Access-Network-Info (PANI) parameter of the SIPRegister message. The REGISTER message containing the LID value is thensent to a Serving-Call Session Control Function (S-CSCF). When theS-CSCF performs a Multimedia Authentication Request (MAR) operation, itmay not know the authentication scheme in use, and so the S-CSCF setsthe Authentication-scheme Attribute Value Pair (AVP) in the MAR to“unknown”. The MAR is sent to a Home Subscriber Server (HSS), whichselects an authentication scheme based on the subscribed authenticationmethod. The user's IMS Private Identity (IMPI) and IMS Public Identity(IMPU), that are used in the SIP Registration procedure, are included inthe MAR sent towards the HSS.

The HSS retrieves a registered Line Identifier (LID′) from a database.LID′ is a registered line identifier that is associated with the userand stored in the user's profile.

When the HSS responds to the S-CSCF with a Multimedia Authenticationanswer, the HSS sets the Authentication-scheme AVP to “NASS Bundled”,and includes LID′ in the Multimedia Authentication answer.

The S-CSCF compares LID′ returned by the HSS with LID received from theaccessing terminal. If LID matches LID′, then S-CSCF sends a SAR messageto the HSS. In this case, the user is considered successfullyauthenticated. The signalling sequence described above is illustrated inFIG. 3.

A problem with this solution is that it relies upon a correctassociation between the in-use Line Identifier (LID) value obtained fromthe CLF in the NASS, and registered Line Identifier LID′ stored in theuser's IMS profile.

Referring to the example scenario illustrated in FIG. 4, a nomadic usermakes use of a third party's fixed-line broadband connection (forexample, the user may be a guest the third party's home and make use ofthe available DSL line or Fiber line). IMS registration relies on theregistering user having an IMS identity, which is typically stored on acard. In order to register with an IMS network, the user must send theiridentity to the network. The nomadic user attaches to a fixed lineconnection in any one of a number of standard ways. For example, thenomadic could plug a 3G-enabled laptop into a modem, make use of anavailable WLAN router, or insert their smart-card/SIM-card/ISIM-cardinto local equipment. If authentication in the conventional NASS via theUser Access Authorisation Function/Profile Database Function (UAAF/PDBF)is successful, the user can use the fixed-line broadband connectionregardless of the user's IMS credentials. However, if the nomadic userthen decides to register with an IMS network to make use of IMSservices, the user sends its IMS Private Identity (IMPI) and IMS PublicIdentity (IMPU) to the IMS S-CSCF, according to 3GPP TS 24.229 V7.4.0(2006-06). The S-CSCF sends the following information to the UPSF/HSS aspart of the registration:

-   -   Authentication-scheme AVP set to “unknown”    -   User's IMPI and IMPU

If the user attempting IMS registration has a NASS-Bundledauthentication scheme enabled in his subscription, then the HSS/UPSFwill return the user's registered LID′ back to the S-CSCF. However, thein-use LID differs from LID′ stored in the user profile, as the user isnot using a fixed-line connection registered to that user. As aconsequence, the S-CSCF cannot authenticate the user and notifies theuser terminal accordingly. Further attempts by the terminal to registerwith the IMS network may be interpreted by the IMS network as a Denialof Service attack or fraud attempt, resulting in the IMS end user beingblacklisted or blocked. This situation is not solved by ETSI TS 183 033TISPAN.

This problem can occur whenever an IMS user (for which NABauthentication is enabled) makes use of a fixed line connection with anin-use LID value that is different from the registered LID′ valueassociated with the user in their IMS profile and stored in the HSS, forexample, whenever an IMS user makes use of a visited WLAN/Wimax accesspoint (which ultimately connects to a network using a fixed line) as aguest user.

SUMMARY

It is desirable to allow a nomadic user to be authenticated in an IMSnetwork using NASS-Bundled authentication where the nomadic user's LIDvalue does not match the LID′ value associated with the user in theirIMS profile.

According to a first aspect of the invention, there is provided a methodof authenticating a user in an IP Multimedia Subsystem network, themethod comprising:

-   -   receiving from an access network an access identifier defining a        terminal's physical location;    -   retrieving from a database a registered access identifier        associated with the user; and    -   determining if the received access identifier matches the        registered access identifier, and if so then authenticating the        user in the IMS network, and if not then performing an        alternative authentication method.

It is preferred that the alternative authentication method is selectedfrom a list of authentication methods contained in a user profile storedby the IP Multimedia Subsystem network. The selection may be made on thebasis of criteria selected from user preference; operator preference;network domain; security preference; and access technology.

It is preferred that the access identifier received from the accessnetwork is an in-use Line Identifier, that defines the line throughwhich the terminal connects. However, other types of identifier thatdefine a line may be used, including a Service Set Identifier.

In a preferred embodiment, the method comprises the steps of, prior toreceiving the access identifier, receiving in the access network anin-use Line Identifier. The user is then authenticated in the accessnetwork. A pre-registered Line Identifier is retrieved from an accessnetwork database and it is determined whether the pre-registered LineIdentifier matches the in-use Line Identifier. If not then a VisitingLine Identifier is generated, which is used as the received LineIdentifier in the IMS network.

The alternative authentication method may comprise determining whetherthe Line Identifier received from the access network is a Visiting LineIdentifier, and if so, authenticating the user.

The Line Identifier received from the access network may be aconcatenated line identifier comprising both the Visiting LineIdentifier and the in-use Line Identifier.

Where a concatenated Line Identifier is used, the method may furthercomprise deconcatenating the concatenated Line Identifier into theVisiting Line Identifier and the in-use Line Identifier; and using thein-use Line Identifier for any one of:

-   -   authorizing the user in the network;    -   determining the geographical location of the user;    -   triggering Initial Filter Criteria relating to a user session;        and    -   elaborating statistics relating to users of the IP Multimedia        Subsystem network using a Visiting Line Identifier.

The method may further comprise retrieving from a database a userprofile of an IP Multimedia Subsystem user associated with the in-useLine Identifier. In this way, a user profile of the user associated withthe in-use Line Identifier can be obtained which can be used todetermine whether or not to allow registration of the registering userwith the IMS network.

The access network may be accessed via an http proxy.

According to a second aspect of the invention, there is provided a nodefor use in a IP Multimedia Subsystem network, the node comprising:

-   -   a receiver for receiving from an access network a Line        Identifier associated with a user terminal;    -   retrieving means for retrieving from a database a registered        Line Identifier associated with the user;    -   authentication means for determining if the received Line        Identifier matches the retrieved Line Identifier and if so then        authenticating the user in the IP Multimedia Subsystem network,        and if not then performing an alternative authentication method.

The node may be a Call Session Control Function

According to a third aspect of the invention, there is provided a nodefor use in an access network, the node comprising:

-   -   a receiver for receiving a Line Identifier associated with a        user terminal;    -   retrieving means for retrieving from a database a pre-registered        Line Identifier associated with the user;    -   determining means for determining if the received Line        Identifier matches the retrieved Line Identifier; and    -   generating means for, if it is determined that the received Line        Identifier does not match the pre-registered Line Identifier,        generating a Visiting Line Identifier.

The node may be a Connectivity Session Location and Repository Function.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates schematically how the IMS fits into the mobilenetwork architecture in the case of a 3GPP PS access domain;

FIG. 2 illustrates schematically authentication of a user in an accessnetwork using Network Attachment Sub-System IMS bundled authentication;

FIG. 3 illustrates schematically a signalling sequence to authenticate auser in an access network using Network Attachment Sub-System IMSbundled authentication;

FIG. 4 illustrates schematically the process of a nomadic userattempting to access an IMS network using Network Attachment Sub-SystemIMS bundled authentication;

FIG. 5 illustrates schematically an alternative authentication methodfor a nomadic user where the user's Line Identifier does not match theLine Identifier stored in the user's profile;

FIG. 6 illustrates schematically the process of tagging a LineIdentifier as a visiting Line Identifier;

FIG. 7 illustrates schematically Network Attachment Sub-System IMSbundled authentication based on a Visiting Line Identifier;

FIG. 8 illustrates schematically a concatenated Line Identifiercomprising a connected Line Identifier and a Visiting Line Identifier;

FIG. 9 illustrates schematically the ways in which a Serving-SessionControl Function obtains profile information related to a Connected LineIdentifier;

FIG. 10 illustrates schematically a NASS-IMS and NASS-Ut BundledAuthentication Architecture;

FIG. 11 illustrates schematically signalling for NASS-Ut BundledAuthentication;

DETAILED DESCRIPTION

One way to authenticate a user in a fixed line access network usingNetwork Attachment Sub-System-Bundled (NAB) authentication is to allow aServing-Call Session Control Function (S-CSCF) to perform an alternativeauthentication procedure where a re-registered LID′ does not match anin-use LID. Referring to FIG. 5, when a nomadic user attempts SIPregistration, the Serving-Call Session Control Function (S-CSCF)retrieves the user profile from the Home Subscriber Server (HSS)/UPSF.The user's profile includes one or more pre-registered Line Identifiervalues LID′ stored in their IMS profile. The user profile may alsoinclude a list of allowed user authentication methods. In the case of anomadic user, when the retrieved LID′ differs from network received LID(LID′< >LID) then the S-CSCF selects an alternative user authenticationmethod from the list in the user profile previously provided by theHSS/UPSF. For example, if IMS AKA (as defined in 3GPP TS 33.203) isincluded in the list of allowable authentication procedures, then theS-CSCF sends a Cx Authentication Vector request to the HSS/UPSF and aSIP Not-Authorized-Authentication Challenge request to the terminal.

The S-CSCF may select an alternative authentication procedure based on aset of variable criteria, for example user preference, operatorpreference, NASS domain in use, degree of required security and trust,access technology in use, and so on. However, it is not possible to usethe solution described above for the case when an IMS end-user only hasNASS-bundled authentication enabled in the list, or if the terminal onlysupports NASS-bundled.

In a second embodiment, an additional parameter called Visiting LineIdentifier is introduced in the Network Attachment Sub-System (NASS)signalling. This parameter can be used as an alternative authenticationprocedure by an S-CSCF during subsequent IMS registration. When aterminal has been successfully authenticated in the NASS, the line usedby the terminal is assigned an IP address. A subscriber authenticationentity and/or subscriber database called the User Access AuthorisationFunction/Profile Database Function (UAAF/PDBF) stores a pre-registeredline identifier LID′, associated with the user's NASS profile. Anassociation between the assigned IP address and the in-use LID (alsocalled a Logical Access Id) is registered in a Connectivity SessionLocation and Repository Function (CLF) in the NASS. The nomadic user hasa profile stored at the PDBF, the profile including LID′. The LID′valuestored at the UAAF/PDBF is sent to the CLF, along with the in-use LIDvalue and any other profiles associated with the user. When the user isnomadic, the Line Identifier value LID′ differs from the in-use LineIdentifier LID. In this case, the CLF tags LID′ as a Visiting LID andstores this value along with the rest of the user's access sessioninformation.

FIG. 6 illustrates the process of tagging a Line Identifier as aVisiting Line Identifier. FIG. 6 is based on TISPAN NASS sequence flows(available in chapter 7 of ETSI TS 282 004 v1.1.1) although it amendsthe sequence flows with the addition of the Visiting Line Identifiercurrently not considered by the NASS standard. Step 2 of FIG. 6 includesthe value LID′ sent by the UAAF/PDBF to the CLF. This parameter may ormay not take the same value as the current optional parameterSubscriber-Id also sent by the UAAF/PDBF to the CLF and described inETSI TS 282 004 v1.1.1.

As illustrated in FIG. 7, when the user has been successfullyauthenticated in the NASS, and subsequently attempts to initiate an IMSSIP Register procedure, the Proxy-Call Session Control Function (P-CSCF)queries the CLF in the NASS for the in-use LID. If LID′ has not beentagged at the CLF as a Visiting Line Identifier, then the CLF returnsthe in-use LID value to the P-CSCF. During SIP registration, the LIDvalue returned to the P-CSCF is sent to the S-CSCF where a comparison ismade between LID and the pre-registered LID′ stored in the user's IMSprofile. Assuming that LID and LID′ match, the user is authenticated inthe IMS network.

If LID′ has been tagged at the CLF as a Visiting Line Identifier, thenthe CLF returns the Visiting LID value to the P-CSCF rather than thein-use LID. The use of a Visiting LID tag can be included in the list ofuser supported authentication methods (returned by the HSS to theS-CSCF) in the user profile, as described above. The IMS network truststhe NASS network and authenticates the user in the IMS network eventhough LID′ and LID do not match.

A variation of the second embodiment is to define the LID parameter as aconcatenation of line identifiers as depicted in FIG. 8. The LineIdentifier is defined as a concatenation of the in-use LID and theVisiting LID. The concatenation is performed in the CLF since the CLFreceives both values during the user's authentication procedure in theNASS. When a user attempts to register with an IMS network as describedabove, the CLF returns the concatenated line identifier to the P-CSCF,which sends it to the S-CSCF. The S-CSCF de-concatenates the lineidentifier into the in-use LID value and the Visiting LID value. TheS-CSCF uses the Visiting LID to authenticate the IMS end user viaNASS-Bundled authentication as described above. The S-CSCF may also usethe in-use LID for the following purposes:

-   -   As authorization criteria to check if the authenticated nomadic        user is allowed to make use of the in-use line for IMS. This can        be based on user profile criteria of the subscriber, operator        criteria, network resource usage criteria and any combination of        these.    -   As a means to physically locate an IMS user.    -   As a means to obtain statistics regarding the number of IMS        users tagged with a Visiting LID that are making use of a given        in-use LID, their behaviour patterns, generated IMS traffic per        Visiting LID vs. all traffic on the in-use LID, and so on. This        function can be used to prevent possible fraud attempts.    -   As a means to trigger specific IMS services via Initial Filter        Criteria that consider both the value of the in-use Line        Identifier as well as the value of the Visiting LID.

The S-CSCF may also send the concatenated line identifier to the HSS(once the user is authenticated in the IMS network) so that the HSS/UPSFmay offer this value over the Sh interface to application servers.

When the S-CSCF receives a Concatenated Line-identifier, itde-concatenates said identifier into an in-use LID and a Visiting LID,as described above. The Visiting LID pertains to the IMS user that isregistering with the IMS network, and the in-use LID pertains to asecond user who “owns” the in-use LID. The user's profile information isobtained from the HSS during the IMS Registration procedure. To obtainprofile information related to the “owner” of the in-use LID, the S-CSCFqueries a profile database using the in-use LID value as a query key.The S-CSCF resolves the network domain to which the in-use LID belongs,which also includes a number portability check. The querying andresolving operations can be done via ENUM/DNS (Domain Name System) orsignalling S7 mechanisms. Once this is performed, the S-CSCF receives aSIP URI or TEL URI that is related to the in-use LID and that can beused to correctly route the query to the domain of the subscriber'sdatabase. By obtaining profile information of the user who “owns” thein-use LID, the S-CSCF can make decisions on whether to authorise theregistering IMS user or not, depending on the information contained inthe obtained user profile.

The S-CSCF can perform one of the following actions, as illustrated inFIG. 9:

-   -   Issue a new Diameter/Cx request to the HSS/UPSF of the Connected        Line Identifier with the value as user-id. Note that in this        case the S-CSCF and the HSS may belong to different domains so        the viability of this case depends on the degree of trust and        security between the two domains. In order to avoid sending the        entire user profile from the HSS/UPSF in one domain to the        S-CSCF in another domain, only data related to the issue of        nomadic users making use of a given in-use LID is returned by        the HSS to the S-CSCF. This data can then be used by the S-CSCF        to take decisions and enforce policies on the Visiting Line        Identifier.    -   Implement a new interface between the S-CSCF and a Policy and        Charging Rules Function (PCRF). This interface is based on (but        not the same as) Diamter/Gx. In this instance, there is also        provided a PCRF<−>PCRF interface between domains to transfer        information to the S-CSCF.    -   Implement the data related to the issue of nomadic users making        use of an in-use Line in a specific server. The interface        between the S-CSCF and another entity able to provide        information relating to the user could be any protocol (SIP,        LDAP, Diameter, etc).

The most complicated case has been depicted in FIG. 9. The simplest caseis when the Nomadic User's IMS home domain is the same as the ConnectedLine Identifier's IMS Home Domain.

User clients connecting to an IMS network over a TISPAN fixed accessbroadband network will not only be provided with a SIP interface. It islikely that this kind of client also has an http interface such as a Utinterface, used typically for self administration and provisioning ofuser data to different applications available through the TISPAN-IMSconnection.

User access to a network over Ut is typically arranged through an httpproxy. The proxy interfaces a number of Application Servers or ServiceProviders, and is able to execute some functions on behalf of them,including user authentication. As an example, the Presence and GroupManagement enabler as defined by OMA and re-used in the 3GPP Presencearchitecture over IMS, uses the so called Aggregation Proxy, whichauthenticates user access to XDM servers. In a 3GPP (mobile)environment, the Aggregation or Authentication proxy authenticates usersusing mechanisms defined in early IMS, GAA/GBA or proprietary interfaceslike Ericsson's Zx. In an alternative embodiment of the invention, auser has access to an application server via an http interface (e.g. Ut)from a TISPAN fixed broadband access network, as illustrated in FIGS. 10and 11. The user is authenticated making use of the enhanced NASS-IMSbundled mechanism described above.

Once NASS authentication has occurred, the IMS authentication signallingsequence is as follows:

-   -   The user terminal initiates an http request including its IP        Address and a user identity (e.g. IMPU).    -   The http-proxy (AP in FIGS. 10 and 11) performs a CLF query        using the received terminal IP Address in order to receive a        Line Identifier. The LID information returned by the CLF to the        AP may be the in-use LID or a Visiting LID, depending on whether        or not the user is nomadic.    -   The AP requests from the HSS the pre-registered LID′ information        for that particular user IMPU. The AP can re use either the Sh        or Zx interfaces and messages. Zx needs to be updated so the HSS        provides the Subscribed Line ID in the response to the AP    -   The AP compares the LID′ retrieved from the HSS with the LID        provided by the NASS via the CLF.

In the case where no http proxy exists in the system, every AS/SPimplements interfaces towards the CLF and the HSS to execute theprocedures of NASS-Ut Bundled Authentication.

The invention described above provides a mechanism for nomadic users inthe TISPAN access layer to also make use of NASS-bundled authenticationin the TISPAN IMS layer, and avoids NASS-bundled authentication failingdue to a mismatch between the in-use LID and the nomadic subscriber'spre-registered LID′. The TISPAN IMS layer can apply rules and policiesrelated to the owner of the line (in-use LID) and the user of the line(Visiting LID).

It will be appreciated by persons skilled in the art that variousmodifications may be made to the above described embodiments withoutdeparting from the scope of the present invention. For example, theinvention has been described in terms of a fixed line access network.However, the invention could, for example, apply to access using aWireless Local Area Network (WLAN). In this case, the Service SetIdentifier (SSID) that differentiates one WLAN from another WLAN couldbe used in place of a LID.

The invention claimed is:
 1. A method of authenticating a terminal in anIP Multimedia Subsystem (IMS) network node, wherein the terminal has aregistered Line Identifier (LID) stored in the IMS network and theterminal requests access to the IMS network using a third party'sfixed-line broadband connection having an in-use LID different from theterminal's registered LID, the method comprising: receiving by the IMSnetwork node from an access network, an access request including thein-use LID and a terminal identifier for the terminal; retrieving by theIMS network node from a database, the registered LID associated with theterminal, and a list of alternative authentication methods allowed forthe terminal; determining by the IMS network node, that the in-use LIDreceived in the access request does not match the terminal's registeredLID; in response to determining that the in-use LID received in theaccess request does not match the terminal's registered LID, selectingfrom the list by the IMS network node, an alternative authenticationmethod for authenticating the terminal; and performing by the IMSnetwork node, the selected alternative authentication method for theterminal.
 2. The method according to claim 1, wherein the selecting stepincludes selecting the alternative authentication method based oncriteria selected from: a user preference; an operator preference; anetwork domain; a security preference; and an access technology.
 3. Themethod according to claim 1, further comprising accessing the accessnetwork via an http proxy.
 4. A method of authenticating a user terminalin an access network providing access to an IP Multimedia Subsystem(IMS) network, wherein the user terminal has a registered LineIdentifier stored in the access network and the user terminal requestsaccess using a third party's fixed-line broadband connection having anin-use Line Identifier different from the user terminal's registeredLine Identifier, the method comprising: receiving in the access network,an access request including the in-use Line Identifier and a terminalidentifier for the user terminal; authenticating the user terminal inthe access network; retrieving from an access network database, apre-registered Line Identifier associated with the user terminal;determining by the access network that the pre-registered LineIdentifier does not match the in-use Line Identifier; generating fromthe in-use Line Identifier a Visiting Line Identifier in response todetermining that the pre-registered Line Identifier does not match thein-use Line Identifier; and sending the Visiting Line Identifier fromthe access network to the IMS network.
 5. The method according to claim4, further comprising: determining by the IMS network that the VisitingLine Identifier received from the access network does not match thepre-registered Line Identifier; and authenticating the user terminal inthe IMS network even though the Vision Line Identifier does not matchthe pre-registered Line Identifier.
 6. The method according to claim 5,wherein the step of generating the Visiting Line Identifier includesgenerating a concatenated Line Identifier comprising the Visiting LineIdentifier and the in-use Line Identifier.
 7. The method according toclaim 6, further comprising: deconcatenating the concatenated LineIdentifier into the Visiting Line Identifier and the in-use LineIdentifier; and using the in-use Line Identifier for any one ofauthorizing the user in the IMS network; determining the geographicallocation of the user; triggering Initial Filter Criteria relating to auser session; and elaborating statistics relating to users of the IMSnetwork using a Visiting Line Identifier.
 8. A node for use in an IPMultimedia Subsystem (IMS) network, the node comprising a processorcoupled to a non-transitory memory for storing computer programinstructions, wherein when the processor executes the computer programinstructions, the processor causes the node to: receive from a accessnetwork, an access request including an in-use access identifier and aterminal identifier associated with a user terminal; retrieve from adatabase, a registered access identifier associated with the userterminal, and a list of alternative authentication methods allowed forthe user terminal; determine whether the received in-use accessidentifier matches the registered access identifier; authenticate theuser terminal in the IMS network when the received in-use accessidentifier matches the registered access identifier; and perform analternative authentication method selected from the list when thereceived access identifier does not match the registered accessidentifier.
 9. The node according to claim 8, wherein the node is a CallSession Control Function.
 10. The node according to claim 8, wherein thein-use access identifier received from the access network is selectedfrom an in-use Line Identifier and a Service Set Identifier.
 11. A nodefor use in an access network providing access to an IP MultimediaSubsystem (IMS) network, the node comprising a processor coupled to anon-transitory memory for storing computer program instructions, whereinwhen the processor executes the computer program instructions, theprocessor causes the node to: receive an access request including anin-use Line Identifier and a terminal identifier associated with a userterminal; authenticate the user terminal in the access network; retrievefrom a database, a pre-registered Line Identifier associated with theuser terminal; determine that the received in-use Line Identifier doesnot match the pre-registered Line Identifier; generate from the in-useLine Identifier a Visiting Line Identifier in response to determiningthat the received in-use Line Identifier does not match thepre-registered Line Identifier; and send the Visiting Line Identifier tothe IMS network.
 12. The node according to claim 11, wherein the node isa Connectivity Session Location and Repository Function.